Blog

Designed to defraud: the why of voice verification

Learn

Terminating bugs in your system is expensive in more than one way. With over 3B active Internet users, websites are more vulnerable than ever, as well as ransomware and malvertising. Not only is awareness and prevention techniques getting better, but cybercriminals are too (for instance, read about malicious ads or Dridex as new ways of operating).

There are features within an app that can be implemented and improved to dazzle users and exceed their expectations. Then there are those that are just expected to work. The features that you only notice when they don’t work, like tap water or electricity. Or mobile security.

Look what happened to Netflix and Amazon!

The Dark Web offers everything from “Immortality guides” by “Junk scientists” to more serious scams like hacked bank accounts or a lifetime of Netflix, prepaid with stolen credit cards.

Courvoisier

In early 2015, the word got out that a hacker/vendor under the name Courvoisier was selling user accounts on the black market Alpha Bay, so that login credentials, and credit card details, could be accessed and various services used for free. “Courvoisier” further expanded his business by selling tutorials on how to use the stolen details, and another vendor, ThinkingForward, was promoting a similar offer.

Any big or small corporation could get scammed: during the same period, companies including Netflix and Amazon, also hit the hacker jackpot. Account information was priced from a range of less than a buck to almost thirty dollars. All purchases would include logins and passwords, but for Amazon, the damage was bigger than that.

Obtained from an Amazon campaign, buyers could get a hold of personal information including banking details and addresses, and the feedback was “overwhelmingly positive”. Courvoisier claimed to have sold all but 14 accounts, when IBT reported this in late March.

Gator League

Unfortunately, the story extends beyond Courvoisier. Rumors about an activist hacker group by the name Gator League was circling the web in late 2014. To give a brief background, Gator League hacked the British GCHQ’s surveillance agency (announcing the DDoS attack on a Twitter account, which is now suspended), as well as North Korea, causing Internet outages for 9.5 hours. After that, Gator League claimed to hack Netflix, giving out 25k user accounts as christmas gifts to their fans.

Around six months later, in June 2015, the NFIB identified Action Fraud reports on purchased accounts for Spotify, Sky Go, Hulu, and of course – Netflix. In this case, vendors were offering cheap subscriptions on eBay to unaware buyers, who didn’t realize it until they’d been blocked or their names had been swapped. The information is presumed to have been obtained from stolen identities, phishing, smishing, malware or code generating programs. “Purchasers unwittingly become the hackers”, the article states.

The same could happen to VoIP services!

Another way of exploiting the system has been found by Danish full-stack dev Andrei Neculaesei. In short, a Uniform Resource Identifier (URI) scheme called tel makes phone numbers appear as links on mobile devices. The problem is that many native mobile apps, such as Facebook Messenger or Google+, doesn’t alert when launching a call, like regular calling usually does by default. Basically, this implies that calls can be made without the user really knowing.

Because of this, Neculaesei found a way to abuse the system: by creating a web page with a JavaScript that’s automatically launching a phone number’s URI when the user views the web page, a phone call – possibly to premium-rate numbers for hackers to cash in on – is instantly triggered.

As stated before, phone numbers are “the one unifier across all of our mobile communication” and a good source of information about the users. As mobile usage is increasing and the security problems with it, mobile also becomes the solution: A great way to secure your app is to verify your users, and keep the unwanted ones away.

Comments

Related news

We’ve been busy working on some of our Android tutorials here at Sinch! In this blog post we’ll give you a quick run-down on what we’ve updated, and how each tutorial could benefit you and your customers. App to App… read more

Since 1957, when a five-year-old boy with perfect pitch first phreaked AT&T switches and invented phreaking, phones have been a target for different types of fraud that costs customers and phone companies billions of dollars. However, if you’re using the… read more

Verification serves as an effective method for securing your user base, reducing fraudulent or duplicate signups, and for two-factor authentication (requiring user to be in possession of the phone during signup). Sinch verification products can be integrated into your Android,… read more

We’ve given you some of the reasons verification is useful and becoming increasingly necessary, notably: Phone numbers serve as a username with longevity Reduce fraudulent or duplicate signups Two factor authentication (require user to be in possession of a phone… read more